Network Rail takes your right to privacy seriously and want you to feel comfortable when using Wi-Fi at the stations we manage. Information by which you can be identified will only be used in accordance with this privacy notice and only for the reasons you are aware of.
- What information we collect from you
- How do you collect and use my pseudo mac address?
- Why do we need to collect pseudo mac address & what do we do with it?
- How do you store my pseudo mac address?
- Our legal basis for processing
- What if I don’t want to use the wi-fi or change your mind?
- Roles and responsibilities
- Your rights
- Contact us
The Wi-Fi is provided by Network Rail Infrastructure Limited, a company registered in England and Wales whose registered office is 1 Eversholt Street, London, NW1 2DN and whose registered number is 02904587 (“Network Rail”) and their service provider Telent Technology Services Limited, a company registered in England and Wales whose registered office is Point 3, Haywood Road, Warwick, CV34 5AH and whose registered number is 703317 (“telent”) (together “we”, “us”, “our”).
By using the Wi-Fi, you acknowledge our processing of Pseudo MAC addresses. Any changes we make in the future will be posted in this Privacy Notice, so please check back frequently to see any updates.
This Privacy Notice (together with our terms and conditions) sets out the basis on which we collect personal data from you. When we do so, we are subject to the Data Protection Act 2018 and General Data Protection Regulation 2016/679 as amended from time to time (“Privacy Laws”).
Network Rail and telent are joint data controllers. Find the lead party for our joint responsibilities.
What information we collect from you
There are two types of media access control (MAC) addresses:
- Pseudo MAC address (“Pseudo MAC address”)
Pseudo means that there are techniques in place that replaces or removes information from the MAC address that can identify the device. The Pseudo MAC address is automatically de-personalised which means that we are unable to identify any individual.
- the MAC address hard coded into a device from the factory (“Hardcoded MAC address”).
We only collect your Pseudo MAC address to connect you to the Wi-Fi. We do not collect any other personal data as part of this Wi-Fi service.
How do you collect and use my pseudo mac address?
This is a typical flow demonstrating how the user device connects to the station Wi-Fi system:
- When Wi-Fi is enabled on your device (phone, laptop, tablet, etc,), your device constantly broadcasts its presence to Wi-Fi hotspots to let them know that the device is within range to access the Wi-Fi. It does this by using a Pseudo MAC address that is unique to your device.
- Our participating stations have access points which are also broadcasting their presence to let your device know that our Wi-Fi network is available.
- If you have never used the Wi-Fi before or are agreeing to the terms and conditions to use the Wi-Fi again, there is no automatic association between the access point and your device.
- So that we can connect you to our Wi-Fi, you need to manually select our Wi-Fi network in your device settings. This then allows your device to broadcast an association request to our access point.
- Our access point receives the signal from your device which contains the Pseudo MAC address and we then redirect you to our registration page which contains terms and conditions to accept or reject. You will need to follow this process so that we can connect you to the Wi-Fi.
- If you accept, your device’s Pseudo MAC address is then “hashed” (randomised) and stored to identify this as an associated device. The device then has access to the Internet.
Can you distinguish between different identifiable users using the Wi-Fi?
We cannot distinguish between specific individuals using the Wi-Fi and we do not need to. In other words, if you and your friend both use the Wi-Fi, we wouldn’t be able to tell which Pseudo MAC address belongs to who or who you are. But we would be able to see there were two users of the Wi-Fi.
Why do we need to collect pseudo mac address & what do we do with it?
Network Rail passengers identified that one of the key improvements that could be made to enhance their station experience was free Wi-Fi. This is part of Network Rail’s plans to put passengers first.
We need to collect your Pseudo MAC address so that we can connect your device to the in-station Wi-Fi network.
So that we can provide you with a seamless experience, we store your Pseudo MAC address for 90 days so that we can re-connect you to the Wi-Fi within that period in any participating station. This means that you don’t need to register (agree to our Terms and Conditions) each time you want to use our Wi-Fi in that 90 day period.
We also want to provide you with the best user experience, so we will use the data collected to report on how many devices are using the Wi-Fi. This will also help us understand how satisfied users are with it through increased use for example. We are unable to identify you from this data.
How do you store my pseudo mac address?
Your personal data is stored in two areas:
- Locally – at each individual station whilst your device is connected to the Wi-Fi in that station, after that it is deleted; and
- Your personal data is also hosted in UK, Ireland and other points of presence within EU boundaries and we use technical and organisational measures to safeguard it. Where your personal data is transferred outside the UK, we will implement safeguards and data protection solutions to make sure your information is adequately protected (to the extent such safeguards and solutions are required by law). If you would like to obtain the details of such safeguards and solutions, you can request these by contacting us at firstname.lastname@example.org.
What safeguards are in place?
The safeguards and solutions used to protect your personal data include ISO27001 & Cyber Essentials standards. All Wi-Fi users will be authenticated against UK and/or EU based cloud platforms with all session data stored in secure, encrypted cloud containers while at rest under these standards. This family of standards helps us manage, protect, retrieve, dispose of your information and keep it safe and secure.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to the network; any transmission is at your own risk.
How long do you store my Pseudo MAC address for?
We store your Pseudo MAC address for 90 days. After that, it is deleted in accordance with the ISO27001 & Cyber Essentials standards. You will then need to sign-up to the terms and conditions again.
Our legal basis for processing
Do you disclose my pseudo mac address to third parties?
We may need to disclose your Pseudo MAC address when:
- It is necessary to involve a third party service provider in order to facilitate or extend our services.
- Required by a court order or any legal or regulatory requirement.
- In connection with the sale, transfer or reorganisation of a business.
- To enforce our contracts and if we are defending a legal claim your information may be transferred as required in connection with defending such claim.
- To ensure the safety and security of our users, staff, and third parties.
- To protect our rights and property and the rights and property of our users, staff and third parties.
What if I don’t want to use the wi-fi or change your mind?
If you have already accepted our terms and conditions which enables you to re-connect to the Wi-Fi in the 90 day period but no longer want to, you can either:
- Turn off your Wi-Fi on your device.
- Turn your device off.
- Put your device into airplane mode.
- Forget this network. To do this, you will need to go to your Wi-Fi settings, select this Wi-Fi and click on the option that allows to ‘forget this network’. By forgetting the network, you will have to accept our terms and conditions again to connect to the Wi-Fi.
A cookie is a small data file of letters and numbers that we store on your browser or the hard drive of your device if you agree. Cookies contain information that is transferred to your device's hard drive.
So that we can provide you with the best possible experience when you use the Wi-Fi and browse our website, we may create cookies when you visit our website and use the Wi-Fi.
Cookies help us:
- Manage continuity of your Wi-Fi session only when using the Wi-Fi.
- Maintain the language defined by your device that it wishes to operate in. This is to make sure that the user only receives the language of their choice as a portal. Even if only English is used this cookie is required to manage the user service across the Wi-Fi platform.
We use the following cookies:
Strictly necessary cookies. These are cookies that are required for the operation of the Wi-Fi network.
We do not use targeting / advertising, functionality, analytical or performance cookies. These are cookies which record your visits to websites, the pages you have visited and the links you have followed.
For further information on cookies generally, including how to control and manage them, visit the guidance on cookies published by the UK Information Commissioner’s Office, or www.aboutcookies.org
Wi-Fi network cookies
Overview of the cookies used, including details of who sets each cookie, its use, when it expires, and, if relevant, how you can find out further information:
|Name||1st or 3rd Party||Use||Expiry||Further information|
|JSESSIONID||1st party||Session ID cookie – this is a cookie held on the software of your device.||Session||Please see our service provider's policy for further information:
|portal_user_lang||1st party||To understand which language the Portal is being viewed – this is a cookie held on the software of your device. Even if only English is used this cookie is required to manage the user service across the Wi-Fi platform.||Session||Please see our service provider's policy for further information:
Roles and responsibilities
Network Rail and telent are joint data controllers.
We have agreed the lead party for our joint responsibilities which is set out below:
|Compliance with Privacy Laws||Yes||Yes|
|Data Protection Impact Assessment||Yes||No|
|Privacy Notice (document agreed by both parties)||No||Yes|
|Contact point for all personal data enquires relating to this Wi-Fi. See contact details provided in policy.||No||Yes|
|Provision of information to data subjects||Yes||Yes|
|rm Data Subject of Personal Data Breach||Yes||No|
|Inform ICO of Personal Data Breach||Yes||No|
It is technically possible to match your Pseudo MAC address but only if you provide that to us because we do not retain the MAC address itself. We can do this by matching the Pseudo MAC address against our record of stored Pseudo MAC addresses (stored for the 90 day period for the return user experience) – this is the Pseudo MAC address collected when your device makes the authentication request and not the Hardcoded MAC address.
We are unable to match the Hardcoded MAC address in a device because we do not collect it and/or store it.
Under the Privacy Laws, you have rights including:
- Your right of access – You have the right to ask us for copies of your personal information.
- Your right to rectification – You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- Your right to erasure – You have the right to ask us to delete your personal information in certain circumstances.
- Your right to restriction of processing – You have the right to ask us to restrict the processing of your information in certain circumstances.
- Your right to object to processing – You have the right to object to the processing of your personal data in certain circumstances.
- Your right to data portability – You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.
Given the nature of the data we process and the processing we undertake, these rights may not apply unless you provide us with the Pseudo MAC address as we are not able to identify you specifically. Even then, it does not mean that we will be able to identify you as a specific individual. This is because:
- We cannot assume the individual providing us with that Pseudo MAC address is the same person that had the device and was using it during the 90 day period in which the pseudonymised and hashed (randomised) MAC address was stored on our system.
- On the basis the device could have been used by or in the possession of different users (breaking the direct link between the Pseudo MAC address and that individual) it would not be practical or proportionate to find out who was using the device each time the device connected to the Wi-Fi.
For these reasons, in most instances, we are also not able to provide users with data in response to a request to access the Wi-Fi data (Pseudo MAC address) generated by a device.
If you want to make a request or would like to contact us with any queries relating to your personal data – please contact us at email@example.com.
For your requests or other enquiries to Network Rail, please contact Network Rail's Data Protection Officer at: firstname.lastname@example.org.
NOTE: We will collect any contact details about you and your complaint/enquiry and only retain it for these purposes and for the length of time it takes to conclude your enquiry.
If you have any concerns about how we have used your data, please contact us in the first instance. You also have the right to make a complaint to the Information Commissioners Office.